John Sonnenschein wrote:
[CC:'ing OpenSolaris Shell discussions <shell-discuss at opensolaris.org>]
>
> Hey security people
>
> I'm fishing for feedback on something. A user can't change his or her
> own shell in [Open]Solaris.
>
> What's everyone's thoughts on this approach to a solution to that:
>
> suid binary in /usr/bin:
> - allows users to change their own shell
> - via RBAC allows users with the solaris.admin.usermgr.write privilege
> to change anyone's shell
>
> I have some code that works here: http://cr.opensolaris.org/~error404/chsh/
I wouldn't use a setuid binary in /usr/bin/ - originally I planned to
have a plugin system which support more than /etc/passwd, e.g. have
plugins which are selected per /etc/nsswitch.conf and then allow setting
the shell+gcos information for { /etc/passwd, NIS+, YP, LDAP } and allow
deployment of 3rd-party plugins, too (the plugin for /etc/passwd would
be setuid to access /etc/passwd r/w but the /usr/bin/chsh and
/usr/bin/chgcos wouldn't be setuid).
> I'm wondering about delivering to ON... good idea? bad idea?
It's a good idea... originally I planned to do that in my free time (now
a bit occupied by other things) as part of the "shell project" (see
http://opensolaris.org/os/project/shell/ for the angenda).
----
Bye,
Roland
--
__ . . __
(o.\ \/ /.o) roland.mainz at nrubsig.org
\__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer
/O /==\ O\ TEL +49 641 3992797
(;O/ \/ \O;)
